[Date Prev][Date Next]
Re: (ITS#6943) segfault in rwmmap in 2.4.25
> In regard to: Re: (ITS#6943) segfault in rwmmap in 2.4.25, Pierangelo...:
>>> At the time of the search, the very last thing that was logged was
>>> May 17 17:03:03 server2 slapd: conn=28588 op=3 SRCH
>>> base="cn=groups,dc=ndsu,dc=nodak,dc=edu" scope=2 deref=0
>>> May 17 17:03:03 server2 slapd: conn=28588 op=3 SRCH attr=cn
>>> apple-generateduid gidNumber apple-group-realname ttl sambaSID rid
>>> primaryGroupID apple-keyword apple-group-nestedgroup
>>> I'll happily provide any details that I've mistakenly left out or that
>>> in debugging the issue.
>>> The issue certainly could be caused by an error in my rwmRewriteRule,
>>> but I
>>> imagine that slapd shouldn't segfault even if my rwmRewriteRule is
>> Yes (I believe), and yes. I believe the mapping is being applied to an
>> attribute that is not explicitly defined in the schema, but rather
>> proxied or
>> somehow treated as undefined. For this reason, the matching rule
>> pointer is
>> NULL. Can you check the definition of "apple-group-nestedgroup", if
>> any? Of
>> course, slapo-rwm should not crash on something like this.
> Thank you Pierangelo.
> We don't have any definition for apple-group-nestedgroup in any of the
> schemas that I have loaded. It's not something we support. We're also
> not doing any proxying. Note also that the search base it's using
> (cn=groups,dc=ndsu,dc=nodak,dc=edu) isn't valid. So, it's some Apple
> system on campus that someone has set up to query our LDAP tree, looking
> for things that the Mac OS X expects to find, but that we don't have or
> One thing that confuses me a little -- I set the rwm-rewriteContext to
> "bindDN", which I perhaps incorrectly believed meant that rewriting would
> only be done for authenticated binds (i.e. not anonymous binds), and
> this client did not authenticate. I was under the mistaken impression
> rwm shouldn't even be called in cases like this. I don't (currently) need
> rewrite searches or results from searches, only the bind credentials, for
> when we eventually enable support for ldap authentication.
> Does that answer your question? Would it be helpful to see either my
> original slapd.conf or the slapd-config that results from the conversion?
Yes, either would be useful. Thanks, p.